src/eap_server/eap.h

   1 /*
   2  * hostapd / EAP Full Authenticator state machine (RFC 4137)
   3  * Copyright (c) 2004-2014, Jouni Malinen <j@w1.fi>
   4  *
   5  * This software may be distributed under the terms of the BSD license.
   6  * See README for more details.
   7  */
   8
   9 #ifndef EAP_H
  10 #define EAP_H
  11
  12 #include "common/defs.h"
  13 #include "utils/list.h"
  14 #include "eap_common/eap_defs.h"
  15 #include "eap_server/eap_methods.h"
  16 #include "wpabuf.h"
  17
  18 struct eap_sm;
  19
  20 #define EAP_TTLS_AUTH_PAP 1
  21 #define EAP_TTLS_AUTH_CHAP 2
  22 #define EAP_TTLS_AUTH_MSCHAP 4
  23 #define EAP_TTLS_AUTH_MSCHAPV2 8
  24
  25 struct eap_user {
  26         struct {
  27                 int vendor;
  28                 u32 method;
  29         } methods[EAP_MAX_METHODS];
  30         u8 *password;
  31         size_t password_len;
  32         int password_hash; /* whether password is hashed with
  33                             * nt_password_hash() */
  34         u8 *salt;
  35         size_t salt_len;
  36         int phase2;
  37         int force_version;
  38         unsigned int remediation:1;
  39         unsigned int macacl:1;
  40         int ttls_auth; /* bitfield of
  41                         * EAP_TTLS_AUTH_{PAP,CHAP,MSCHAP,MSCHAPV2} */
  42         struct hostapd_radius_attr *accept_attr;
  43         u32 t_c_timestamp;
  44 };
  45
  46 struct eap_eapol_interface {
  47         /* Lower layer to full authenticator variables */
  48         Boolean eapResp; /* shared with EAPOL Backend Authentication */
  49         struct wpabuf *eapRespData;
  50         Boolean portEnabled;
  51         int retransWhile;
  52         Boolean eapRestart; /* shared with EAPOL Authenticator PAE */
  53         int eapSRTT;
  54         int eapRTTVAR;
  55
  56         /* Full authenticator to lower layer variables */
  57         Boolean eapReq; /* shared with EAPOL Backend Authentication */
  58         Boolean eapNoReq; /* shared with EAPOL Backend Authentication */
  59         Boolean eapSuccess;
  60         Boolean eapFail;
  61         Boolean eapTimeout;
  62         struct wpabuf *eapReqData;
  63         u8 *eapKeyData;
  64         size_t eapKeyDataLen;
  65         u8 *eapSessionId;
  66         size_t eapSessionIdLen;
  67         Boolean eapKeyAvailable; /* called keyAvailable in IEEE 802.1X-2004 */
  68
  69         /* AAA interface to full authenticator variables */
  70         Boolean aaaEapReq;
  71         Boolean aaaEapNoReq;
  72         Boolean aaaSuccess;
  73         Boolean aaaFail;
  74         struct wpabuf *aaaEapReqData;
  75         u8 *aaaEapKeyData;
  76         size_t aaaEapKeyDataLen;
  77         Boolean aaaEapKeyAvailable;
  78         int aaaMethodTimeout;
  79
  80         /* Full authenticator to AAA interface variables */
  81         Boolean aaaEapResp;
  82         struct wpabuf *aaaEapRespData;
  83         /* aaaIdentity -> eap_get_identity() */
  84         Boolean aaaTimeout;
  85 };
  86
  87 struct eap_server_erp_key {
  88         struct dl_list list;
  89         size_t rRK_len;
  90         size_t rIK_len;
  91         u8 rRK[ERP_MAX_KEY_LEN];
  92         u8 rIK[ERP_MAX_KEY_LEN];
  93         u32 recv_seq;
  94         u8 cryptosuite;
  95         char keyname_nai[];
  96 };
  97
  98 struct eapol_callbacks {
  99         int (*get_eap_user)(void *ctx, const u8 *identity, size_t identity_len,
 100                             int phase2, struct eap_user *user);
 101         const char * (*get_eap_req_id_text)(void *ctx, size_t *len);
 102         void (*log_msg)(void *ctx, const char *msg);
 103         int (*get_erp_send_reauth_start)(void *ctx);
 104         const char * (*get_erp_domain)(void *ctx);
 105         struct eap_server_erp_key * (*erp_get_key)(void *ctx,
 106                                                    const char *keyname);
 107         int (*erp_add_key)(void *ctx, struct eap_server_erp_key *erp);
 108 };
 109
 110 struct eap_config {
 111         /**
 112          * ssl_ctx - TLS context
 113          *
 114          * This is passed to the EAP server implementation as a callback
 115          * context for TLS operations.
 116          */
 117         void *ssl_ctx;
 118         void *msg_ctx;
 119
 120         /**
 121          * eap_sim_db_priv - EAP-SIM/AKA database context
 122          *
 123          * This is passed to the EAP-SIM/AKA server implementation as a
 124          * callback context.
 125          */
 126         void *eap_sim_db_priv;
 127         Boolean backend_auth;
 128         int eap_server;
 129
 130         /**
 131          * pwd_group - The D-H group assigned for EAP-pwd
 132          *
 133          * If EAP-pwd is not used it can be set to zero.
 134          */
 135         u16 pwd_group;
 136
 137         /**
 138          * pac_opaque_encr_key - PAC-Opaque encryption key for EAP-FAST
 139          *
 140          * This parameter is used to set a key for EAP-FAST to encrypt the
 141          * PAC-Opaque data. It can be set to %NULL if EAP-FAST is not used. If
 142          * set, must point to a 16-octet key.
 143          */
 144         u8 *pac_opaque_encr_key;
 145
 146         /**
 147          * eap_fast_a_id - EAP-FAST authority identity (A-ID)
 148          *
 149          * If EAP-FAST is not used, this can be set to %NULL. In theory, this
 150          * is a variable length field, but due to some existing implementations
 151          * requiring A-ID to be 16 octets in length, it is recommended to use
 152          * that length for the field to provide interoperability with deployed
 153          * peer implementations.
 154          */
 155         u8 *eap_fast_a_id;
 156
 157         /**
 158          * eap_fast_a_id_len - Length of eap_fast_a_id buffer in octets
 159          */
 160         size_t eap_fast_a_id_len;
 161         /**
 162          * eap_fast_a_id_info - EAP-FAST authority identifier information
 163          *
 164          * This A-ID-Info contains a user-friendly name for the A-ID. For
 165          * example, this could be the enterprise and server names in
 166          * human-readable format. This field is encoded as UTF-8. If EAP-FAST
 167          * is not used, this can be set to %NULL.
 168          */
 169         char *eap_fast_a_id_info;
 170
 171         /**
 172          * eap_fast_prov - EAP-FAST provisioning modes
 173          *
 174          * 0 = provisioning disabled, 1 = only anonymous provisioning allowed,
 175          * 2 = only authenticated provisioning allowed, 3 = both provisioning
 176          * modes allowed.
 177          */
 178         enum {
 179                 NO_PROV, ANON_PROV, AUTH_PROV, BOTH_PROV
 180         } eap_fast_prov;
 181
 182         /**
 183          * pac_key_lifetime - EAP-FAST PAC-Key lifetime in seconds
 184          *
 185          * This is the hard limit on how long a provisioned PAC-Key can be
 186          * used.
 187          */
 188         int pac_key_lifetime;
 189
 190         /**
 191          * pac_key_refresh_time - EAP-FAST PAC-Key refresh time in seconds
 192          *
 193          * This is a soft limit on the PAC-Key. The server will automatically
 194          * generate a new PAC-Key when this number of seconds (or fewer) of the
 195          * lifetime remains.
 196          */
 197         int pac_key_refresh_time;
 198         int eap_teap_auth;
 199         int eap_teap_pac_no_inner;
 200         int eap_teap_separate_result;
 201         enum eap_teap_id {
 202                 EAP_TEAP_ID_ALLOW_ANY = 0,
 203                 EAP_TEAP_ID_REQUIRE_USER = 1,
 204                 EAP_TEAP_ID_REQUIRE_MACHINE = 2,
 205                 EAP_TEAP_ID_REQUEST_USER_ACCEPT_MACHINE = 3,
 206                 EAP_TEAP_ID_REQUEST_MACHINE_ACCEPT_USER = 4,
 207                 EAP_TEAP_ID_REQUIRE_USER_AND_MACHINE = 5,
 208         } eap_teap_id;
 209
 210         /**
 211          * eap_sim_aka_result_ind - EAP-SIM/AKA protected success indication
 212          *
 213          * This controls whether the protected success/failure indication
 214          * (AT_RESULT_IND) is used with EAP-SIM and EAP-AKA.
 215          */
 216         int eap_sim_aka_result_ind;
 217         int eap_sim_id;
 218
 219         /**
 220          * tnc - Trusted Network Connect (TNC)
 221          *
 222          * This controls whether TNC is enabled and will be required before the
 223          * peer is allowed to connect. Note: This is only used with EAP-TTLS
 224          * and EAP-FAST. If any other EAP method is enabled, the peer will be
 225          * allowed to connect without TNC.
 226          */
 227         int tnc;
 228
 229         /**
 230          * wps - Wi-Fi Protected Setup context
 231          *
 232          * If WPS is used with an external RADIUS server (which is quite
 233          * unlikely configuration), this is used to provide a pointer to WPS
 234          * context data. Normally, this can be set to %NULL.
 235          */
 236         struct wps_context *wps;
 237         int fragment_size;
 238
 239         int pbc_in_m1;
 240
 241         /**
 242          * server_id - Server identity
 243          */
 244         u8 *server_id;
 245         size_t server_id_len;
 246
 247         /**
 248          * erp - Whether EAP Re-authentication Protocol (ERP) is enabled
 249          *
 250          * This controls whether the authentication server derives ERP key
 251          * hierarchy (rRK and rIK) from full EAP authentication and allows
 252          * these keys to be used to perform ERP to derive rMSK instead of full
 253          * EAP authentication to derive MSK.
 254          */
 255         int erp;
 256         unsigned int tls_session_lifetime;
 257         unsigned int tls_flags;
 258
 259         unsigned int max_auth_rounds;
 260         unsigned int max_auth_rounds_short;
 261 };
 262
 263 struct eap_session_data {
 264         const struct wpabuf *assoc_wps_ie;
 265         const struct wpabuf *assoc_p2p_ie;
 266         const u8 *peer_addr;
 267 #ifdef CONFIG_TESTING_OPTIONS
 268         u32 tls_test_flags;
 269 #endif /* CONFIG_TESTING_OPTIONS */
 270 };
 271
 272
 273 struct eap_sm * eap_server_sm_init(void *eapol_ctx,
 274                                    const struct eapol_callbacks *eapol_cb,
 275                                    const struct eap_config *conf,
 276                                    const struct eap_session_data *sess);
 277 void eap_server_sm_deinit(struct eap_sm *sm);
 278 int eap_server_sm_step(struct eap_sm *sm);
 279 void eap_sm_notify_cached(struct eap_sm *sm);
 280 void eap_sm_pending_cb(struct eap_sm *sm);
 281 int eap_sm_method_pending(struct eap_sm *sm);
 282 const u8 * eap_get_identity(struct eap_sm *sm, size_t *len);
 283 const char * eap_get_serial_num(struct eap_sm *sm);
 284 const char * eap_get_method(struct eap_sm *sm);
 285 const char * eap_get_imsi(struct eap_sm *sm);
 286 struct eap_eapol_interface * eap_get_interface(struct eap_sm *sm);
 287 void eap_server_clear_identity(struct eap_sm *sm);
 288 void eap_server_mschap_rx_callback(struct eap_sm *sm, const char *source,
 289                                    const u8 *username, size_t username_len,
 290                                    const u8 *challenge, const u8 *response);
 291 void eap_erp_update_identity(struct eap_sm *sm, const u8 *eap, size_t len);
 292 void eap_user_free(struct eap_user *user);
 293 void eap_server_config_free(struct eap_config *cfg);
 294
 295 #endif /* EAP_H */